X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=ssl%2Fssl_ciph.c;h=a046c71e2f30b2dac9e459a577c1eccb8842957c;hb=77ff1f3b8bfaa348956c5096a2b829f2e767b4f1;hp=405da44cf616071f3ef33b0469b90c9d80be3e67;hpb=7cb472bd0d0fd9da3d42bed1acc56c3a79fc5328;p=openssl.git diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 405da44cf6..a046c71e2f 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -203,7 +203,7 @@ static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={ 0,0,0,0,0,0 }; -static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={ +static const int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={ SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA, SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256, SSL_HANDSHAKE_MAC_SHA384 @@ -314,7 +314,6 @@ static const SSL_CIPHER cipher_aliases[]={ {0,SSL_TXT_SHA384,0, 0,0,0,SSL_SHA384, 0,0,0,0,0}, /* protocol version aliases */ - {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0}, {0,SSL_TXT_SSLV3,0, 0,0,0,0,SSL_SSLV3, 0,0,0,0}, {0,SSL_TXT_TLSV1,0, 0,0,0,0,SSL_TLSV1, 0,0,0,0}, {0,SSL_TXT_TLSV1_2,0, 0,0,0,0,SSL_TLSV1_2, 0,0,0,0}, @@ -644,10 +643,8 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, s->ssl_version < TLS1_VERSION) return 1; -#ifdef OPENSSL_FIPS if (FIPS_mode()) return 1; -#endif if (c->algorithm_enc == SSL_RC4 && c->algorithm_mac == SSL_MD5 && @@ -815,7 +812,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, /* * We have num_of_ciphers descriptions compiled in, depending on the - * method selected (SSLv2 and/or SSLv3, TLSv1 etc). + * method selected (SSLv3, TLSv1 etc). * These will later be sorted in a linked list with at most num * entries. */ @@ -827,9 +824,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, c = ssl_method->get_cipher(i); /* drop those that use any of that is not available */ if ((c != NULL) && c->valid && -#ifdef OPENSSL_FIPS (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) && -#endif !(c->algorithm_mkey & disabled_mkey) && !(c->algorithm_auth & disabled_auth) && !(c->algorithm_enc & disabled_enc) && @@ -842,7 +837,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, co_list[co_list_num].active = 0; co_list_num++; #ifdef KSSL_DEBUG - printf("\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth); + fprintf(stderr,"\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth); #endif /* KSSL_DEBUG */ /* if (!sk_push(ca_list,(char *)c)) goto err; @@ -959,7 +954,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, int reverse = 0; #ifdef CIPHER_DEBUG - printf("Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n", + fprintf(stderr, "Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n", rule, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, strength_bits); #endif @@ -1005,7 +1000,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, else { #ifdef CIPHER_DEBUG - printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength); + fprintf(stderr, "\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength); #endif #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL if (cipher_id && cipher_id != cp->id) @@ -1028,7 +1023,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, } #ifdef CIPHER_DEBUG - printf("Action = %d\n", rule); + fprintf(stderr, "Action = %d\n", rule); #endif /* add the cipher if it has not been added yet. */ @@ -1441,6 +1436,7 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, return 0; } +#ifndef OPENSSL_NO_ECDH switch(suiteb_flags) { case SSL_CERT_FLAG_SUITEB_128_LOS: @@ -1459,6 +1455,10 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, /* Set auto ECDH parameter determination */ c->ecdh_tmp_auto = 1; return 1; +#else + SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST, SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE); + return 0; +#endif } #endif @@ -1497,7 +1497,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, */ num_of_ciphers = ssl_method->num_ciphers(); #ifdef KSSL_DEBUG - printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers); + fprintf(stderr,"ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers); #endif /* KSSL_DEBUG */ co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); if (co_list == NULL) @@ -1616,15 +1616,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, */ for (curr = head; curr != NULL; curr = curr->next) { -#ifdef OPENSSL_FIPS if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) -#else - if (curr->active) -#endif { - sk_SSL_CIPHER_push(cipherstack, curr->cipher); + if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) + { + OPENSSL_free(co_list); + sk_SSL_CIPHER_free(cipherstack); + return NULL; + } #ifdef CIPHER_DEBUG - printf("<%s>\n",curr->cipher->name); + fprintf(stderr, "<%s>\n",curr->cipher->name); #endif } } @@ -1653,7 +1654,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) int is_export,pkl,kl; const char *ver,*exp_str; const char *kx,*au,*enc,*mac; - unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2; + unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl; #ifdef KSSL_DEBUG static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx/%lx/%lx/%lx/%lx\n"; #else @@ -1666,16 +1667,12 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) alg_mac = cipher->algorithm_mac; alg_ssl = cipher->algorithm_ssl; - alg2=cipher->algorithm2; - is_export=SSL_C_IS_EXPORT(cipher); pkl=SSL_C_EXPORT_PKEYLENGTH(cipher); kl=SSL_C_EXPORT_KEYLENGTH(cipher); exp_str=is_export?" export":""; - if (alg_ssl & SSL_SSLV2) - ver="SSLv2"; - else if (alg_ssl & SSL_SSLV3) + if (alg_ssl & SSL_SSLV3) ver="SSLv3"; else if (alg_ssl & SSL_TLSV1_2) ver="TLSv1.2"; @@ -1714,6 +1711,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_kSRP: kx="SRP"; break; + case SSL_kGOST: + kx="GOST"; + break; default: kx="unknown"; } @@ -1747,6 +1747,12 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_aSRP: au="SRP"; break; + case SSL_aGOST94: + au="GOST94"; + break; + case SSL_aGOST01: + au="GOST01"; + break; default: au="unknown"; break; @@ -1761,8 +1767,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) enc="3DES(168)"; break; case SSL_RC4: - enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)") - :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)"); + enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)"):"RC4(128)"; break; case SSL_RC2: enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)"; @@ -1794,6 +1799,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_SEED: enc="SEED(128)"; break; + case SSL_eGOST2814789CNT: + enc="GOST89(256)"; + break; default: enc="unknown"; break; @@ -1816,6 +1824,12 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_AEAD: mac="AEAD"; break; + case SSL_GOST89MAC: + mac="GOST89"; + break; + case SSL_GOST94: + mac="GOST94"; + break; default: mac="unknown"; break; @@ -1846,8 +1860,6 @@ char *SSL_CIPHER_get_version(const SSL_CIPHER *c) i=(int)(c->id>>24L); if (i == 3) return("TLSv1/SSLv3"); - else if (i == 2) - return("SSLv2"); else return("unknown"); } @@ -1941,12 +1953,14 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) if (cm == NULL || cm->type == NID_undef) return 1; - /* According to draft-ietf-tls-compression-04.txt, the - compression number ranges should be the following: - - 0 to 63: methods defined by the IETF - 64 to 192: external party methods assigned by IANA - 193 to 255: reserved for private use */ + /*- + * According to draft-ietf-tls-compression-04.txt, the + * compression number ranges should be the following: + * + * 0 to 63: methods defined by the IETF + * 64 to 192: external party methods assigned by IANA + * 193 to 255: reserved for private use + */ if (id < 193 || id > 255) { SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE); @@ -1955,6 +1969,13 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) MemCheck_off(); comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); + if (comp == NULL) + { + MemCheck_on(); + SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE); + return(1); + } + comp->id=id; comp->method=cm; load_builtin_compressions();